The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ssl issues centos 5.11

Discussion in 'Security' started by Venomous21, Mar 31, 2015.

Tags:
  1. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hello,

    I performed a scan of our server using ssllabs.com/ssltest/ The server is centOS 5.11 x86_64 running the latest version of openSSL .98. I'm trying to figure out these results & if they truly matter....On all my servers, service config > apache config > global config is set to SSL Cipher Suite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP (default); SSL/TLS Protocols All -SSLv2 -SSLv3 (default). These servers are running the latest version of php 5.4, apache 2.2, mysql 5.5. Under service config > apache config > include editor, the "pre main include, pre virtual host include, and post virtual host include" appear blank. I last compiled apache on 3/25/15 for EA 3.28.5 for latest version of php 5.4

    [/var/log]# rpm -q openssl
    openssl-0.9.8e-32.el5_11

    I did not see any additional SSLCipherSuite entries in httpd.conf

    User "Ethical" on http://forums.cpanel.net/threads/ss...-how-to-adjust-cipher-protocols.432641/page-6 gets a similar problem Re: SSL v2 (more below)

    The test results:

    This server supports SSL 2, which is obsolete and insecure. Grade set to F. Does the TLS_FALLBACK_SVSV protect against this? Why isn't that disabled automatically in EA when I re-compile apache? Possibly an error in the scanner? I'm shocked if this is actually enabled.

    https://www.centos.org/forums/viewtopic.php?t=21482 (possibly related)

    This server supports insecure Diffie-Hellman (DH) key exchange parameters. Grade set to F. Not sure about this one...would appreciate some advice.

    This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F. MORE INFO » According to redhat, centOS 5 is not vulnerable to the freak attack so I assume this is a false positive.


    This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. MORE INFO » From http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html , they say: "Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks." So I assume this again can be safely ignored.


    The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. Again I assume this is an openSSL .98.x issue and should be ignored until the server is upgraded to CentOS 6 or higher.
    This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO » B rating...not sure if it matters. Advice appreciated.
    The server does not support Forward Secrecy with the reference browsers. MORE INFO » Not sure if this matters...again might be a openssL .98.x issue.
    This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks. This supposedly protects against Poodle unless I am misinterpriting something.

    Even google.com is rated a B. Thank you for your help.
     
  2. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    How do I disable sslv2? According to my options and description above, it should already be disabled but it's not according to the SSL labs test. Would appreciate responses to the other issues but this is the main issue. Thank you.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can review your server and determine why the configured values are not detected on the SSL Labs report? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page